DocumentationAPI ReferenceRelease Notes
Release Notes
Start typing to search…

Password Safe ECM Plugin 26.1.2 release notes

February 3, 2026

🆕 New features

Database Credentials for Protocol Tunnel Jump Items
  • New Support: Protocol Tunnel Jumps for MySQL, PostgreSQL, and Microsoft SQL Server databases
  • Port Specification: Custom database ports now supported using multiple notation formats:
    • Standard notation: hostname:port or IPv4:port
    • Windows comma notation: hostname,port or IPv4,port or IPv6,port
    • RFC-compliant IPv6 bracket notation: [IPv6]:port
  • Default Ports: Automatically applied when not specified (MySQL: 3306, PostgreSQL: 5432, SQL Server: 1433)
IPv6 Address Support
  • Full IPv6 Support: Complete recognition and validation of IPv6 addresses across all credential types
  • Supported Formats:
    • Full IPv6: 2001:db8:85a3:0:0:8a2e:370:7334
    • Compressed notation: 2001:db8::1, ::1, ::
    • IPv4-mapped IPv6: ::ffff:192.168.1.1
    • IPv6 with ports: [2001:db8::1]:5432
  • Wildcard Patterns: IPv6 credential matching with wildcards (that is, 2001:db8:85a3:0:0:8a2e:370:*)
Framework and Dependencies
  • Upgraded to .NET Framework 4.8 (from 4.5)
    • Enhanced security features
    • Improved performance and reliability
    • Extended support lifecycle
  • Updated Dependencies:
    • ECM and Util DLLs updated to version 1.6.2601
    • All NuGet packages updated to latest stable versions
Code Quality Enhancements
  • Enhanced IP Address Validation: Improved IP detection and parsing with comprehensive IPv4 and IPv6 validation
  • Improved Filtering: Better DNS name, hostname, and port filtering logic
  • Expanded Unit Tests: Extensive test coverage for new IPv6 and port parsing functionality

✨ Enhancements

  • There are no new enhancements.

🛠️ Issues resolved

  • There are no new issues resolved.

🗒️Notes

  • Ensure .NET Framework 4.8 is installed before upgrading
  • No configuration changes required
  • All existing configurations remain compatible

📝Requirements

  • Requires BeyondTrust ECM v1.6.2601+

BT Updater Client 3.5.2 release notes

February 3, 2026

🆕 New features

This is a maintenance release and there are no new features.

✨ Enhancements

Desktop client being deprecated in version 4.0

The following banner appears in the product:

This desktop client has been deprecated and will be removed from the product in version 4.0. All users should be utilizing the browser-based interface located at http://<IP>/UpdaterSettings.

where <IP> is the actual IP of the local computer.

Improved handling of Endpoint Priviled Management (EPM) bundles

We improve how the platform handles Endpoint Privileged Management (EPM) bundles, making bundle imports more reliable, streamlining version management, and helping you catch configuration conflicts earlier and more accurately.

🛠️ Issues resolved

DescriptionResolution
Updater is overwriting log files on subsequent install attemptsCode was added to create unique log file in Updater’s log folder, for each installation attempt of a package.
When Updater attempts to install a version of software but a newer version is already installed it returns the install attempt as a failure.The MSI Error Code 1638 has been included in the success code collection, allowing the Updater to identify it as a success when it is returned by the MSI.
Currently SUPI engine will install each individual version that is available.You can now select the latest version of SUPI Engine and skip all the versions in between.
When the Updater service is paused there is no notification.A banner has been added to the Web UI that shows a message regarding the download status when it is paused. Additionally, this banner includes a button that allows users to enable the Updater service and resume downloads.
Updater not creating entries for BeyondInsight Password Safe in package.dbThe BeyondInsight Password Safe subscription check has been removed from the local database refresh process.
Some tiles show as blank or empty when the server is unresponsive.A loading spinner has been added in the Other Subscriptions panel, which stays visible until the service delivers data to the user interface.
When setting a download schedule to exclude a day the download was still occurring.Download schedule is now being respected.
When you install a PMUL package with AD Bridge subscriptions, the installation order does not work as expected.The recent code addition implements an explicit cleanup process for all old files and folders in the designated PMUL directory, excluding the folder named adbridge. This enhancement aims to improve file management by removing files that were created by earlier versions.

📝 Requirements

  • .NET 4.7.2 or later
  • IIS to be enabled on host

Workforce Passwords Browser Extension 25.4.0.1 release notes

January 29, 2026

🆕 New features

Configurable Uniform Resource Identifier (URI) Match Detection

We’ve added a new configuration option to allow better control over which credentials are presented for autofill on a given site.

Configurable from the Extensions Options page, the Default URI Match Detection option allows the following values:

  • Base domain (default for prior browser extension releases)
  • Host

To understand the URL https://mysite.ps.beyondtrustcloud.com/webconsole/login, use the following table:

SectionValue
Top Level Domaincom
Second Level Domainbeyondtrustcloud
Subdomainmysite.ps
Hostnamemysite.ps.beyondtrustcloud.com

Base Domain

When Base Domain is selected, only credentials that have the same top-level domain and second-level domain are available for autofill. This means that credentials are shared across various sub-domains, such as a credential for okta.beyondtrust.com could be used on jfrog.beyondtrust.com.

For example, the URL https://mysite.ps.beyondtrustcloud.com would behave as follows if Base Domain was the selected behavior:

URLMatches
https://mysite.ps.beyondtrustcloud.comYes
https://fusbi.ps.beyondtrustcloud.comYes
https://beyondtrustcloud.comYes
https://mysite.ps.beyondtrustcloud.co.ukNo
https://app.beyondtrust.ioNo

Host

When Host is selected, only credentials that have the same hostname and, if specified, port is presented for autofill.

For example, the URL https://mysite.ps.beyondtrustcloud.com would behave as follows if Host was the selected behavior:

URLMatches
https://mysite.ps.beyondtrustcloud.comYes
https://fusbi.ps.beyondtrustcloud.comNo
https://beyondtrustcloud.comNo
https://mysite.ps.beyondtrustcloud.co.ukNo
https://app.beyondtrust.ioNo

🛠️ Issues resolved

🔧 Workforce Passwords

DescriptionResolution
When you deploy Workforce Passwords extension via GPO, you receive frequent notifications that Workforce Passwords has been updated.Corrected the update detection logic to no longer incorrectly trigger an update notification.
On some websites, Workforce Passwords was inadvertently overriding the styling of the web page content.CSS styling in Workforce Passwords has been adjusted to no longer ‘leak’ into the host website.

📝 Requirements

Requires BeyondTrust Password Safe version 23.2.0 or later release.

🗒️ Notes

This release is available in:

Password Safe Cloud Resource Broker 25.3.58.30001

January 28, 2026

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

This is a maintenance release. There are no new features.

✨ Enhancements

This is a maintenance release. There are no new enhancements.

🛠️ Issues resolved

This is a maintenance release. There are no issues resolved.

📝 Requirements

  • We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.3.58.30001 are supported from all previous versions.
  • .NET hosting bundle v8.0.21 is included
  • Session Monitoring Agent (pbsmd) 25.3.48 is included
  • Enhanced Session Monitoring Agent (pbpsmon) 25.3.48 is included
  • This release bundles version 25.3.0.2025 of the BeyondTrust Discovery Scanner, corresponding release notes, see View the Discovery Scanner release notes..
  • PS Automate 25.3.0 is included
  • SAP platform password changes now set a ProgramID = PasswordSafe_SAP_Connection property to provide support for SAP gateways.

⚙️ Signatures

  • The MD5 signature is: E7773A43C026AD645A17DC26EB536815
  • The SHA-1 signature is: CA8D4E55962AA84DAC8EE7402ECC3FDFBA990CE9
  • The SHA-256 signature is: E2872789E2031D1403CE6F3FCCC2AE3DDFC51781D1E1205EBFAAE047F5958C82

U-Series Appliance 4.5.0 release notes

January 22, 2026

🆕 New features

Streamlined Certificate Management

Manage certificates with ease. Now you can view, import, edit, generate, export, move, and delete certificates directly from the Appliance web interface. No need for remote desktop or Microsoft Management Console (MMC). This enhanced workflow simplifies updates, supports all requested use cases, and even adds the ability to transfer certificates between appliances.


ℹ️

For more information, see Certificate Management.

Forced Encryption

Appliance users can now encrypt the data connection to Microsoft SQL Server using a certificate of their choice without the need to establish a Remote Desktop Protocol (RDP) session. This enhancement eliminates the previous requirement to manually upload certificates and configure encryption through the BeyondInsight Configuration Tool or SQL Server Network Configuration.


ℹ️

For more information, see Forced Encryption for SQL Server connections.

✨ Enhancements

Proxy server

Proxy configuration settings have been removed from Password Safe. All proxy server settings are now managed directly on the U-Series appliance, providing a centralized and streamlined configuration process.

Certificate management for mirroring between the two high availability (HA) nodes

We’ve introduced enhancements to simplify certificate management. These improvements reduce manual configuration steps, minimize administrative overhead, and improve overall security compliance. Administrators can now manage certificates more efficiently, ensuring a smoother setup and maintenance process for HA deployments.

ℹ️

For more information, see Certificate mirroring between two HA nodes.

🛠️ Issues resolved

IssueResolution
All users were added to the Notifications drop down.Removed non-admin BeyondInsight users from notification drop down
Password fields are not cleared when navigating away from the page.Password fields are cleared when navigating away from the page
The all panels, including the Welcome panel, remain open when the system automatically logged out.All Open dialogs are closed when the logon page is shown.
When you deploy and configure an Azure appliance if the appliance name is same, the Configuration wizard displays an error message while you configure the Phoenix client.Makes sure your computer is renamed every time it needs to be.
When you use Dark Mode theme, the colors in the Notifications drop down do not follow the scheme colors.Colors in Notifications drop down now follow the colors of the selected theme.
Performance graphs are not responsive with minimum supported screen resolution.Graphs align with screen resolution.
The Slider feature moves visually when you click the Discard button from the Features and Services panel.The message, There are no changes to be discarded displays when there are no discarded changes.
A generic 404 message displays on the root site when you type URL at the root site.Created custom error pages for missing (404) pages.
A visible gap or blank space appears in the backup and restore table when the window size is changed.UI adjusted to remove the gap.
When you click the Forgotten Password link, there is not an option to return to the Login page.A link to return to the login page was added.
There is no tooltip for the Enter the NFS File Share Location section on the Log File Export page.A tooltip now exists for the feature.
When you select to configure backups later in the Configuration Wizard, the calendar text turns to red.Removed the red text as it was unnecessary.
SQLFree computers do not backup the RetinaCSDatabase, however in the options to create a backup, the BeyondInsight Database is one of the available options.Added static text to indicate that remote database will not be backed up.
An error message displays when you enter a value exceeding the upper bound in Database Connection Settings.Fixed validation to give the correct error message.
Permissions and logins are created on installation and not when a feature is enabled.Initial checks are removed from the installer to a service, so it can check when the feature is enabled.
The URL path to the Proxy Server page does not match the actual page name.The URL path is updated.
Previously scheduled events (backups, log exports, etc.) no longer run on schedule.Updated stored schedules to reference the proper service name.

📝Requirements

  • .NET 8.0 or later (available through BT Updater via Supporting Software SUPI subscription)
  • SUPI 3.3.2 (available through BT Updater)

🧩 Dependencies

  • Security Management Appliance is dependent on BeyondInsight 24.1

Password Safe Cloud Resource Broker 25.2.0.1941

January 8, 2026

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

This is a maintenance release. There are no new features.

✨ Enhancements

SAP platform password changes now set a ProgramID = PasswordSafe_SAP_Connection property to provide support for SAP gateways.

🛠️ Issues resolved

This is a maintenance release. There are no issues resolved.

📝 Requirements

  • We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.2.0.1941 are supported from all previous versions.
  • This release bundles version 25.2.0.1971 of the BeyondTrust Discovery Agent. View the Discovery Agent 25.2.0.1971 release notes.
  • .NET hosting bundle v8.0.21 is included.
  • Session Monitoring Agent (pbsmd) is updated to 25.1.45.
  • Enhanced Session Monitoring Agent (pbpsmon) 25.1.43 is included.
  • PS Automate build 16357480509 is included.

⚙️ Signatures

  • The MD5 signature is: F8E2C665803AA852E4FF34F32BB5A275
  • The SHA-1 signature is: 264EDABB858BC74A7AD76549F3F2FF8FF9F14BB5
  • The SHA-256 signature is: 8A23E131ABFF60CBD42AB581D9D9DE17CC6182B716B64F5B940A7F457FF49FDF

BT Updater Server 2.0.5 release notes

December 19, 2025

🆕 New features

There are no new features with this release.

🛠️ Issues resolved

DescriptionResolution
Dependencies are not showing in the UI, but are being enforced.Fixed a missing call to get dependencies based on the current package
Unable to download packages when you use an Enterprise Updater child node.Fixed the call to get the next package for child nodes.

Password Safe Mobile app 1.3.0 release notes

December 18, 2025

🆕 New features

  • TOTP feature support. This requires BIPS 25.3 or later.
  • Update to support BIPS 25.3 release.

🛠️ Issues resolved

IssueResolution
When you open a context menu, the app's User Interface (UI) freezes.The UI works as expected and displays the correct menus.
When you sign in to Microsoft Intune on a device with your Company Portal app installed, an incorrect error message may appear.The UI behavior has been improved. You now have option to accept and continue with Microsoft InTune Setup or dismiss it. The app remembers your choice.

📝 Requirements

  • Password Safe 25.1 or later

Resource Kit 25.3.0 release notes

December 11, 2025

📝 Requirements:

BeyondTrust Password Safe 25.3.0 or later.

🆕New features and enhancements:

  • Updated Platform SDK to support Password Safe 25.3.
  • Secrets Safe PAPI GET /secrets-safe/secrets now correctly defaults decrypt to false and consistently returns the owner email while only returning the password when decrypt=true.
  • Checksums:
    • Enhanced Session Utility
      • pbpsmon-25.3.48.msi
        • SHA256: 3df1058efd18fed4b6db148ac5688f589691eaca863c84f6b40cefa5bf04a14c
      • pbpsmon-25.3.48.exe
        • SHA256: 5ddc08023a9d812f725d046b6a3be74f4088e582d16f9d7013256e4da8aefeb3
    • Secrets Cache
      • beyondtrust-secrets-cache-25.3.50-x64.exe
        • SHA256: 458bdcdceb6ed928e7010f1c60832f85e2760ff419fa3a00f59a66e188dde500
      • beyondtrust-secrets-cache-25.3.50-1.el10.x86_64.rpm
        • SHA256: 847b89ef57d4cf15dc5ec1231b4f6fdfe6a77fa91010b6bc52630646caa1df01
      • beyondtrust-secrets-cache-25.3.50-1.el9.x86_64.rpm
        • SHA256: 936f8434276833ed3e5ba2455906b6e2091cbaae0c19c99500f5a0f80d27a488
      • beyondtrust-secrets-cache-25.3.50-1.el8.x86_64.rpm
        • SHA256: 39b0271dfdd71cda3661a3530bccd1b0e43669a2526b16bb97e2e5266e262956

🗒️Notes:

Password Safe Cloud Resource Broker 25.3.55.1 release notes

December 11, 2025

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

There are no new features.

✨ Enhancements

There are no enhancements.

🛠️ Issues resolved

No issues are resolved in this release.

📝 Requirements

  • This release bundles version 25.3.0.2025 of the BeyondTrust Discovery Scanner, see corresponding release notes .
  • .NET hosting bundle v8.0.21 is included
  • Session Monitoring Agent (pbsmd) 25.3.48 is included
  • Enhanced Session Monitoring Agent (pbpsmon) 25.3.48 is included
  • PS Automate 25.3.0 is included
🚧

Important information

We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.3.55.1 are supported from all previous versions.

⚙️ Signatures

  • The MD5 signature is: 48C48A2C90757DAF4B66494ED0C6A1EA
  • The SHA-1 signature is: 614FA02EE1E75660703E6CD50606A0D7AD7002FB
  • The SHA-256 signature is: 590340790C55EFD17AE5537AF5653A019F5F8644D3F78007B655FB52BA3324BF

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.